Quickjs Project Quickjs — known CVE vulnerabilities
Every CVE whose affected-product data names Quickjs Project Quickjs, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (14)
CVE-2025-62490 — CVSS 8.8 (high): In quickjs, in js_print_object, when printing an array, the function first fetches the array length and then loops over it. The issue is…
CVE-2025-62491 — CVSS 8.8 (high): A Use-After-Free (UAF) vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled…
CVE-2025-62494 — CVSS 8.8 (high): A type confusion vulnerability exists in the handling of the string addition (+) operation within the QuickJS engine. * The code first…
CVE-2025-62496 — CVSS 8.8 (high): A vulnerability exists in the QuickJS engine's BigInt string parsing logic (js_bigint_from_string) when attempting to create a BigInt from…
CVE-2025-62495 — CVSS 8.8 (high): An integer overflow vulnerability exists in the QuickJS regular expression engine (libregexp) due to an inconsistent representation of the…
CVE-2020-22876 — CVSS 7.5 (high): Buffer Overflow vulnerability in quickjs.c in QuickJS, allows remote attackers to cause denial of service. This issue is resolved in the…
CVE-2023-31922 — CVSS 7.5 (high): QuickJS commit 2788d71 was discovered to contain a stack-overflow via the component js_proxy_isArray at quickjs.c.
CVE-2023-48183 — CVSS 7.5 (high): QuickJS before c4cdd61 has a build_for_in_iterator NULL pointer dereference because of an erroneous lexical scope of "this" with eval.
CVE-2025-69654 — CVSS 7.5 (high): A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3…
CVE-2025-62492 — CVSS 6.5 (medium): A vulnerability stemming from floating-point arithmetic precision errors exists in the QuickJS engine's implementation of…
CVE-2025-69653 — CVSS 6.5 (medium): A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13, fixed in commit 1dbba8a88eaa40d15a8a9b70…
CVE-2025-62493 — CVSS 6.5 (medium): A vulnerability exists in the QuickJS engine's BigInt string conversion logic (js_bigint_to_string1) due to an incorrect calculation of the…
CVE-2025-46688 — CVSS 5.6 (medium): quickjs-ng through 0.9.0 has an incorrect size calculation in JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow. QuickJS…
CVE-2023-48184 — CVSS 3.9 (low): QuickJS before 7414e5f has a quickjs.h JS_FreeValueRT use-after-free because of incorrect garbage collection of async functions with…